罗姆病毒的变种专杀,恶鹰变种AT病毒分析报告

恶鹰变种AT病毒分析报告 - 电脑安全 - 电脑教程网

恶鹰变种AT病毒分析报告

日期:2006-03-11   荐:

病毒信息:

病毒名称: Worm.Beagle.at中文名称: 恶鹰变种at病毒别名: I-Worm.Bagle.at[AVP] 病毒长度: 17924 威胁级别: 三级病毒类型: 蠕虫 受影响系统: WinNT/Win2000/WinXP/Windows2003发现时间: 2004年10月29日

病毒简介:

该病毒通过邮件进行传播,用户运行邮件附件后,会尝试关闭计算机内的反病毒软件,并从网上下载一个后门。该蠕虫,还会在受感染的机器的文件中搜索电子邮件,并向搜索到的地址发送邮件。诱惑用户打开运行病毒程序。该病毒会向外发送大量的带毒邮件,严重的堵塞用户网络。建议用户开启防火墙来防止该病毒的侵入。

技术特点:

1.创建以下几个互斥量来防止NetSky病毒运行:MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D 'D'r'o'p'p'e'd'S'k'y'N'e't' _-oOaxX|- S - k - y - N - e - t -|XxKOo-_ [SkyNet.cz]SystemsMutex AdmSkynetJklS003 ____--->>>>U<<<<--____ _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

2.在被感染的机器上创建以下文件:%System%\bawindo.exe%System%\bawindo.exeopen%System%\bawindo.exeopenopen%System%\re_file.exe

3.在注册表HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run中增加"wingo"="%System%\wingo.exe"来确保自身能随计算机启动

4.从HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run删除包含以下字符串的键值:My AVZone Labs Client Ex9XHtProtectAntivirusSpecial Firewall ServiceserviceTiny AVICQNetHtProtectNetDyJammer2ndFirewallSvrMsInfoSysMonXPEasyAVPandaAVEngineNorton Antivirus AVKasperskyAVEngSkynetsRevengeICQ Net

5.在包含"shar"字符串的目录下创建文件,文件名可能为下列字符:Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe

6.搜索以下列字符串为扩展名的文件来获得Email地址,并用自带的SMTP引擎发送带毒邮件.adb .asp .cfg .cgi .dbx .dhtm .eml .htm .jsp .mbx .mdx .mht .mmf .msg .nch .ods oft .php .pl .sht .shtm .stm .tbb .txt .uin .wab .wsh .xls .xml7.病毒发送的带毒邮件具有如下特征:发件人:伪造的主题:Re:Re: HelloRe: Thank you!Re: Thanks :)Re: Hi

正文::):))

附件:文件名可能为:PricepriceJoke扩展名可能为:.com/.scr/.cpl

8.该病毒不会向包含以下字符串的邮件地址发送邮件@avp. @foo @hotmail @iana @messagelab @microsoft @msn abuse admin anyone@ bsd bugs@ cafee certific contract@ f-secur feste free-av gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip

9.尝试从下列网站下载文件www.bottombouncer.comwww.bottombouncer.comwww.anthonyflanagan.comwww.bradster.comwww.traverse.comwww.ims-i.comwww.realgps.comwww.aviation-center.dewww.gci-bln.dewww.pankration.comwww.jansenboiler.comwww.corpsite.comwww.everett.wednet.eduwww.onepositiveplace.orgwww.raecoinc.comwww.wwwebad.comwww.corpsite.comwww.wwwebmaster.com www.wwwebad.comwww.dragcar.comwww.wwwebad.comwww.oohlala-kirkland.comwww.calderwoodinn.comwww.buddyboymusic.comwww.smacgreetings.comwww.tkd2xcell.comwww.curtmarsh.comwww.dontbeaweekendparent.comwww.soloconsulting.comwww.lasermach.comwww.generationnow.netwww.flashcorp.comwww.kencorbett.comwww.FritoPie.NETwww.leonhendrix.comwww.transportation.gov.bhwww.transportation.gov.bhwww.jhaforpresident.7p.comwww.DarrkSydebaby.comwww.cntv.infowww.sugardas.ltwww.adhdtests.comwww.argontech.netwww.customloyal.comwww.ohiolimo.comwww.topko.skwww.alupass.luwww.sigi.luwww.redlightpictures.comwww.irinaswelt.dewww.bueroservice-it.dewww.kranenberg.dewww.kranenberg.dewww.the-fabulous-lions.dewww.the-fabulous-lions.dewww.mongolische-renner.dewww.mongolische-renner.dewww.capri-frames.dewww.capri-frames.dewww.aimcenter.netwww.boneheadmusic.comwww.fludir.iswww.sljinc.comwww.tivogoddess.comwww.fcpages.comwww.andara.comwww.freeservers.comwww.programmierung20d 0a0.dewww.asianfestival.nlwww.aviation-center.dewww.gci-bln.dewww.mass-i.kiev.uawww.jasnet.plwww.atlantisteste.hpg.com.brwww.fludir.iswww.rieraquadros.com.brwww.metal.plwww.handsforhealth.comwww.angelartsanctuary.comwww.firstnightoceancounty.orgwww.chinasenfa.comwww.chinasenfa.comwww.ulpiano.orgwww.gamp.plwww.vikingpc.plwww.woundedshepherds.comwww.cpc.adv.brwww.velocityprint.comwww.esperanzaparalafamilia.comwww.celula.com.mxwww.mexis.comwww.wecompete.comwww.vbw.infowww.gfn.orgwww.aegee.orgwww.deadrobot.comwww.cscliberec.czwww.ecofotos.com.brwww.amanit.ruwww.bga-gsm.ruwww.innnewport.comwww.knicks.nlwww.srg-neuburg.dewww.mepmh.dewww.mepbisu.dewww.kradtraining.dewww.polizeimotorrad.dewww.sea.bz.itwww.uslungiarue.itwww.gcnet.ruwww.aimcenter.netwww.vandermost.dewww.vandermost.dewww.szantomierz.art.plwww.immonaut.skwww.eurostavba.skwww.spadochron.plwww.pyrlandia-boogie.plwww.kps4parents.comwww.pipni.czwww.selu.eduwww.travelchronic.dewww.fleigutaetscher.chwww.irakli.orgwww.oboe-online.comwww.oboe-online.comwww.pe-sh.comwww.idb-group.netwww.ceskyhosting.czwww.ceskyhosting.czwww.hartacorporation.comwww.glass.lawww.glass.lawww.24-7-transportation.comwww.fepese.ufsc.brwww.ellarouge.com.auwww.bbsh.orgwww.boneheadmusic.comwww.sljinc.comwww.tivogoddess.comwww.fcpages.comwww.szantomierz.art.plwww.elenalazar.comwww.ssmifc.cawww.reliance-yachts.comwww.worest.com.arwww.kps4parents.comwww.coolfreepages.comwww.scanex-medical.fiwww.jimvann.com

标签: